Issue With Access Control List

nangoo_20051 · ‎10-26-2015

Hi Folks,

i have an issue,

We Have an Separate training Network , Which Only Needs access to Three Websites, (One is surveymonkey.com and another Company Website and symanetec live update). All the websites are hosted in internet only.

I Allowed the direct access to Internet for this Subnet in our Firewall.(to bypass proxy authentication)

i Created a Separate SVI for this Purpose in our core switch and created an Extended access List just to allow Three Websites and applied in the SVI.

Now these Survey Monkey Has list of Domains to be allowed to access the Website. Which You can see on below URL. I Allowed all these surveymonkey Ip address in ACL with Two More Website access.

http://help.surveymonkey.com/articles/en_US/kb/What-are-the-IP-addresses-to-your-website-for-our-firewall-configurations

Now the Problem is users are complaining the Website(Survey monkey) alone is very very slow. it takes one minute to Load the page. Its not an issue with Switch/Network Speed etc. bcoz when i remove the ACL, the website access if very fast.

Could You Check whether anything wrong in My ACL or Any factors which helps to Isolate the issue

SVI Configuration:

Building configuration...

Current configuration : 120 bytes
!
interface Vlan4
ip address 10.19.4.1 255.255.254.0
ip access-group 102 in
end

ACL Configurations:

ARCS3750S01#sh ip access-lists
Extended IP access list 102
10 permit ip 10.19.4.0 0.0.1.255 75.98.93.48 0.0.0.15 (3 matches)
11 permit ip 10.19.4.0 0.0.1.255 host 72.21.91.8
12 permit ip 10.19.4.0 0.0.1.255 host 23.212.6.19
13 permit ip 10.19.4.0 0.0.1.255 host 64.39.96.42
14 permit ip 10.19.4.0 0.0.1.255 host 72.21.91.29
15 permit ip 10.19.4.0 0.0.1.255 host 63.80.4.41
16 permit ip 10.19.4.0 0.0.1.255 host 63.80.4.19
20 permit ip 10.19.4.0 0.0.1.255 host 96.6.122.143
30 permit ip 10.19.4.0 0.0.1.255 host 96.6.122.144
40 permit ip 10.19.4.0 0.0.1.255 host 96.6.122.147
50 permit ip 10.19.4.0 0.0.1.255 host 23.3.231.143
60 permit ip 10.19.4.0 0.0.1.255 host 62.23.104.135
70 permit ip 10.19.4.0 0.0.1.255 host 184.28.188.177
71 permit ip 10.19.4.0 0.0.1.255 host 184.28.188.178
72 permit ip 10.19.4.0 0.0.1.255 host 184.28.188.201
73 permit ip 10.19.4.0 0.0.1.255 host 184.28.188.194
74 permit ip 10.19.4.0 0.0.1.255 host 184.28.188.203
90 permit ip 10.19.4.0 0.0.1.255 host 10.155.7.20
100 permit ip 10.19.4.0 0.0.1.255 host 10.155.1.140
110 permit ip any host 10.19.4.1 (526 matches)
120 permit ip host 10.19.4.28 any (3611 matches)

Appreciate your help On this Topic.

Jon Marshall · ‎10-26-2015

I'm not sure I follow.

I just did a nslookup on some of the domain names in your link and none of the IPs returned are in your acl.

Jon

nangoo_20051 · ‎10-26-2015

Hi .

Please Check the Details below.

surveymonkey.com - 75.98.93.51
static.surveymonkey.com
images.surveymonkey.com - (63.80.4.41 , 63.80.4.19)
styles.surveymonkey.com - (63.80.4.41 , 63.80.4.19)
scripts.surveymonkey.com - (63.80.4.41 , 63.80.4.19)
secure.surveymonkey.com - 23.212.6.19
www.surveymonkey.com -
surveymonkey.com
www.surveymonkey.com
contribute.surveymonkey.com - 75.98.93.52
panel.surveymonkey.com - 75.98.93.52
panels.surveymonkey.com - 75.98.93.52
surveymonkey.net - 75.98.93.54
www.surveymonkey.net - 75.98.93.54
surveymk.com - 75.98.93.56
www.surveymk.com - 75.98.93.56
api.surveymonkey.com - 75.98.93.58
resources.research.net - 75.98.93.59
research.net - 75.98.93.60
www.research.net - 75.98.93.60

Hi all the IP addresses are already added in ACL.

10 permit ip 10.19.4.0 0.0.1.255 75.98.93.48 0.0.0.15 - this is summarized all the IP in 75.98.93.x range

Jon Marshall · ‎10-26-2015

Okay, I get different IPs but that might mean they have multiple servers in different regions.

If the access is really slow then your acl is blocking something you need to allow through.

There are two ways to approach this (although you could use them both) -

1) on the switch add a deny line at the end of your acl with the "log" keyword and this will show you what is being blocked.

Note though you will probably see a lot of other traffic as well and logging may have an impact on the switches performance so best to do it out of hours and test from a client.

So a more specific test would be to -

2) run a packet capture on the client and see what packets it is sending out.

I would probably try the packet capture first as that should show what connections the client is waiting on.

Like I say it must be some traffic to an IP that you are not allowing through that you need to and this will seriously slow down the connection.

Jon

nangoo_20051 · ‎11-03-2015

Hi Jon,

Thanks for your Valubale Inputs.

I Think you are right, for the below Three domains, the ip address is keep changing

a week before it was

images.surveymonkey.com - (63.80.4.41 , 63.80.4.19)
styles.surveymonkey.com - (63.80.4.41 , 63.80.4.19)
scripts.surveymonkey.com - (63.80.4.41 , 63.80.4.19)

Currently it is resloving too

images.surveymonkey.com - 23.216.10.233 , 23.216.10.232
styles.surveymonkey.com - 23.216.10.233 , 23.216.10.232
scripts.surveymonkey.com - 23.216.10.233 , 23.216.10.232

My Colleague in DIfferent region, it is resolving to different ip that this two.

Now the issue is , i cant add the ACL as domain Name in my Switch, it is immediately converting to the Ip address

SWC(config-ext-nacl)#$0 0.0.1.255 ho
SWC(config-ext-nacl)#$0 0.0.1.255 host surveymonkey.net
Translating "surveymonkey.net"...domain server (10.81.1.29) [OK]

All These Ip addresses are belonging to akamai tecchonologies(cloud service providers)

i already sent an E-mail to Survey monkey to provide me the complete list of ip for this domains

How can we address this? any inputs?

Masoud Pourshabanian · ‎11-03-2015

Hello,

I guess there might be also some refrence objects to another websites or locations in those websites, which causes delay before getting blocked.

Save some pages of the website in HTML format and check for some other URLs.

nangoo_20051 · ‎11-11-2015

Hi Masoud,

Didnt get your Point, Could you Please Elaborate Little More Please. The Issue we are facing is , Currently The below Domains from Survey Monkey is hosted on third party vendors , where there Ip address are Dynamic. So IP address Based ACL is not working.

The Problem is we are using checkpoint firewalls , it won’t be possible to create a rule filtering on a domain. We tried a couple years ago and the performance of the firewall was so bad we had to do a rollback for one reason, to do url or domain filtering we have to enable the DNS resolution and when we have thousands of packets per second passing though the firewall it cannot handle the volume.

Hence We are looking for some options , whether we can configure DOmain Based ACL in Cisco Switch (which i dont think its possible) or trying to get the complete list of Ip address from Surveymonkey, which also didnt work since they were not able to provide this Ip details.

ANy suggestions how we can handle this will be helpful?

Masoud Pourshabanian · ‎11-11-2015

Hello,

When you send a HTTP request to a web server, you get a base file at first. There might be some refrence objects in that base file to other sites.

Go on a client which is taking 2 minutes to access that website. After receiving the webpage completely, save the webpage and check the HTML file for any refrences to other sites.

Also as Jon mentioned, configure log at the end of your DENY access-list to check which IPs are being blocked. Try to check one client to see the result better.

Masoud